Sunday, August 10, 2008
Please: understand these news stories with the "right" perspective
I want to reiterate my original purpose in starting this particular (generally small) blog. That was to suggest that a system be developed for financial institutions and other businesses to verify customer identity, and that due diligence procedures that businesses should follow be developed. I first placed this proposal on this blog on June 6, 2006, and then moved it to the entry of September 25, 2006 (the archive links on the left may be followed to find these).
The media is constantly reporting incidents where large businesses and government agencies compromise consumer security. This is a developing issue, with many components. For example, in the past local governments used to publish many public records and other matters in open spaces on the Internet; many of them have stopped this practice to protect consumers. Businesses have allowed employees to take work home on laptops and have used live consumer production data for quality assurance testing of system upgrades; obviously, many practices in the way systems people and other employees work with live data have had to be changed and restricted. When I was working in a mainframe IT shop in the 1990s, there was much less attention to physical security of copies of data, because this sort of problem had not become public yet. (Even so, a Merrill Lynch credit card of mine became compromised with bogus telephone charges from Canada in 1995; fortunately the problem was cleared and money refunded, but not without three hours of my time.)
The media is also constantly warning consumers to “be very afraid.” Most of the time, the consequences of data compromise are limited to credit reports and to bogus charges that can be reversed, or to bank accounts that can be restored. But sometimes there is real harm, and in a few cases people have been wrongfully prosecuted when their identities were taken. I think I have to sound like CNN reported Lou Dobbs on this one. There is no reason why we cannot expect our financial institutions and vendors to be more careful and practice more due diligence with consumer data. We can develop new systems to help banks and vendors do this. That is one of the ideas that this blog is all about.
When making a proposal like this, one has to account for all the known vulnerabilities. Part of systems analysis is to write up all the “business requirements” and for consumer protection, it’s necessary to catalog all the ways consumers become vulnerable. In the past, documentation of proposed system requirements stayed within an organization, often as proprietary information. That would be true now. However, if an individual wants to propose this idea in a public forum and make it public, to attract money later, the speaker will need to enumerate and reference all the known problems.
That is certainly the case with my posting yesterday, where an overseas physicist had uncovered one of the most dangerous vulnerabilities deep within the Internet and published it on his own blog. If another blogger (me) gives a link to that, the purpose is to account for the problem, as well as to back up the details of a news story (in this case, in the New York Times) with more “original” research and links. The purpose is not, in any sense, to encourage anyone to try to experiment suggested in this or any other comparable link. The World Wide Web is full of accounts of how to do some very anti-social and illegal things, and they are easily found on all search engines. This particular original news story is particularly shocking, and may provide a clue to other important and unresolved security problems that have been reported recently on the web.
Journalists report on “bad behavior” and give some details all the time. Sometimes the details concern what make someone who commits criminal acts “tick.” There are plenty of examples of this in the past ten years (especially recently). Sometimes the details simply tell authorities or larger companies that they need to develop much more sophisticated security systems. Sometimes there is, in the view of the public, a nagging concern about the “motives” of an “amateur” who posts the same information when working outside the normal media or journalistic “establishment.” I’ve talked about these issues on other blogs, particularly in the context of “online reputation.” The fact is, to be worthwhile, a blog or website about a public problem needs to account for all the facts about it, however disturbing these facts are, regardless of the authorship of the website.